Network Storage Protocols Discussions

CIFS only Domain Admin has Access


We’ve noticed a problem with our NetApp where if we make a change to a user’s groups via NIS the NetApp seems to take days to pick up the change.

This morning we added one of our users to an existing Linux group that’s under NIS control, we update the NIS maps as normal but then noticed that the user didn’t have access to the files protected by that group.

Looking into this further we can see that the user is in the group on any of our Linux clients, the user is ‘wrae’ and the group is called ‘facilities’:-


$ id wrae

uid=967(wrae) gid=1009(wrae) groups=1009(wrae),851(swrecruit),1012(purchasing),560(facilities),952(managementteammeeting),978(swinterviewfeedback),100(users),561(vpn)


If we lookup the user on the NetApp we get this:-


ukcamsnetapp::*> vserver services name-service getxxbyyy getgrlist -node ukcamsnetapp1 -vserver UKCAM_CIFS -username wrae

pw_name: wrae

Groups: 1009 851 1012 100 978 952 561


*Note that group 560 is missing!


Interestingly if we lookup the group on the NetApp ‘wrae’ is listed as part of the group??:-

ukcamsnetapp::*> vserver services name-service getxxbyyy getgrbyname -node ukcamsnetapp1 -vserver UKCAM_CIFS -groupname facilities

name: facilities

gid: 560

gr_mem: adh cparsons lmurfet jeaves johnlee nhills kgolebiowska istacey kkowaki aroebuck nsakita mgerdauskas nfleet alacel-suchecka dking ksaul cwilson mwalenczykowski bkozak mtarnawska-pysz sbrown rhewson dgelzinyte mmcloughlin wrae


We first noticed this problem about a week ago, we added a new Linux group and added some users to it. Again the group was visible from our Linux clients but not the NetApp.

We ended up leaving the problem over the weekend and on the Monday (or possible Tuesday) the problem had fixed it’s self (group was now visible from the NetApp)


Is there a time out period for this to happen?




Re: CIFS only Domain Admin has Access


Let me hopefully save you a lot of troubleshooting time, I just went through this exact issue about a month ago.


By default, ONTAP rebuilds its local NIS group database once every 24 hours. You can see this by running the "vserver services name-service nis-domain group-database config show" command in diagnostic mode. You can also see the last build time of the local NIS group database by running the "vserver services name-service nis-domain group-database status" command. 


You may want to change the frequency that ONTAP rebuilds this database - it can be done using the "vserver services name-service nis-domain group-database config modify -vserver <vserver_name> -state enabled -build-interval <interval_in_minutes>" command. 


Alternatively, you could modify your ns-switch configuration to query NIS first and then local files second using the "vserver services name-service ns-switch modify" commands, supplying the appropriate values. 


Finally, here is a KB article that explains it:


Hope that helps!



View solution in original post

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums